Attacks and Vulnerabilities Control device security Critical infrastructure Industrial Cyber Attacks Malware, Phishing & Ransomware News Reports System Design & Architecture Threat Landscape Vulnerabilities DragonForce reemerges as Conti-linked ransomware cartel, aligning with Scattered Spider in global attacks November 06, 2025 New data from Acronis Threat Research Unit (TRU) analyzed DragonForce , a Conti-derived ransomware-as-a-service active since 2023, documenting its malware, affiliate model, and links to Scattered Spider . DragonForce rebranded as a ransomware cartel, allowing affiliates to white-label payloads and create variants like Devman and Mamona/Global, while defacing rival groups to reinforce its position in the ecosystem. DragonForce and LockBit Green share common lineage through the leaked Conti v3 code, leading to overlaps in routines and artifacts. Over 200 victims have been exposed on DragonForce’s leak site since late 2023, across retail, airlines, insurance, managed service providers (MSPs), and other enterprise sectors. In early 2025, DragonForce began branding itself as a ransomware ‘cartel.’ This approach allows DragonForce to continue building its brand as one of the most notorious cybercriminal groups currently active, drawing attention from rivals and law enforcement. Through its affiliate program, DragonForce strengthened its position in the ransomware scene, attracting new partners and competing with more established RaaS operators. Additionally, this business model diversifies techniques and victims, making attribution increasingly difficult. DragonForce employs BYOVD (bring your own vulnerable driver) attacks by using truesight[dot]sys and rentdrv2[dot]sys drivers to terminate processes. After an article appeared in Habr, a media platform focused on technology, internet culture, and related topics, which revealed weaknesses in Akira’s encryption, DragonForce quickly reinforced its own encryptor to avoid similar problems. “Recently, DragonForce announced a rebrand, stating that the group would now operate as a cartel. This shift in operation strategy aims to grow their presence in the ransomware scene,” Darrel Virtusio, David Catalan Alegre, Eliad Kimhy, and Santiago Pontiroli, Acronis TRU researchers wrote in a Tuesday blog post. “By offering affiliates 80 percent of profits, customizable encryptors, and infrastructure, DragonForce lowers the barrier to entry and encourages more affiliates to join the cartel. Since then, DragonForce has been more active in attacking companies globally, posting more victims compared to a year ago. Their most notable attack, publicly attributed to the group, targeted retailer Marks & Spencer in collaboration with Scattered Spider.” Beyond ransomware groups, the post mentioned that DragonForce has also expanded its partnerships to include other cybercriminal groups within the broader underground ecosystem. Scattered Spider is one that they had partnered with after branding themselves as a ‘cartel.’ “Scattered Spider is known for partnering with other notorious RaaS operators in the past, such as BlackCat, RansomHub, and Qilin, providing initial access to the victim’s network and handing over the access for ransomware deployment,” according to the researchers. “This recent partnership drew significant attention after the attack on major U.K. retailer Marks & Spencer, which researchers attribute to Scattered Spider–DragonForce operations. Though not confirmed, this incident fits the timeline of DragonForce’s rebrand just a month before, showing that Scattered Spider was quick to leverage DragonForce in its operations.” DragonForce is a RaaS group that first appeared in 2023 and was initially associated with the hacktivist group DragonForce Malaysia, though concrete evidence linking the two is still limited. Ever since DragonForce entered the ransomware scene, they have been actively recruiting partners on underground forums for their operation. The group started using the leaked LockBit 3.0 builder to develop its encryptors, then later adopted a customized Conti v3 code. Among DragonForce’s partners is Scattered Spider, an initial access broker known for collaborating with multiple ransomware operations. Scattered Spider, a financially driven actor known for phishing, SIM swapping, and MFA bypass, partnered with operators tied to the DragonForce ransomware-as-a-service model. This collaboration evolved into broader overlaps with LAPSUS$ and ShinyHunters, forming what researchers dubbed the ‘Scattered LAPSUS$ Hunters’ within the ‘Hacker Com’ ecosystem. “While the cartelization of cybercriminal groups is not new, it has gained momentum in recent years,” the researchers noted. “Beyond DragonForce, groups like Scattered Spider, LAPSUS$, and ShinyHunters have formed collectives such as Scattered LAPSUS$ Hunters, reportedly behind several high-profile breaches involving Salesforce customers. This shift from competition to collaboration marks a growing